/// <summary>
/// </summary>
/// <returns></returns>
public async Task PerformRoleMasterTasks()
{
KV2SecretEngine secEngine =
(KV2SecretEngine)_vaultAgent.ConnectToSecretBackend(EnumSecretBackendTypes.KeyValueV2, "Sheakley KV2 Secrets", _beKV2Name);
// Create the Path1 "secret"
KV2Secret a = new KV2Secret("path1");
var result = await secEngine.TryReadSecret(a);
if (!result.IsSuccess)
{
await secEngine.SaveSecret(a, KV2EnumSecretSaveOptions.OnlyIfKeyDoesNotExist);
}
// Create the AppData Folder
KV2Secret b = new KV2Secret(Constants.appData);
result = await secEngine.TryReadSecret(b);
if (!result.IsSuccess)
{
await secEngine.SaveSecret(b, KV2EnumSecretSaveOptions.OnlyIfKeyDoesNotExist);
}
return;
}
/// <summary>
/// Performs tasks that the Role1 user would do. Creating the actual application folders.
/// </summary>
/// <param name="role"></param>
/// <returns></returns>
public async Task PerformRole1Tasks()
{
try {
// Here we will create the AppA and B folders in both the path1 and the appData paths.
KV2Secret path1AppA = new KV2Secret(Constants.appName_A, "path1");
KV2Secret path1AppB = new KV2Secret(Constants.appName_B, "path1");
KV2Secret appDataAppA = new KV2Secret(Constants.appName_A, Constants.appData);
KV2Secret appDataAppB = new KV2Secret(Constants.appName_B, Constants.appData);
KV2Secret appData = new KV2Secret(Constants.appData);
// We need to simulate a session as this Role1 User:
VaultAgentAPI vault = new VaultAgentAPI("Role1", _vaultAgent.Uri);
AppRoleAuthEngine authEngine = (AppRoleAuthEngine)vault.ConnectAuthenticationBackend(EnumBackendTypes.A_AppRole, _AppBEName, _AppBEName);
KV2SecretEngine secretEngine =
(KV2SecretEngine)vault.ConnectToSecretBackend(EnumSecretBackendTypes.KeyValueV2, "Sheakley KV2 Secrets", _beKV2Name);
// Now login.
Token token = await authEngine.Login(role1.RoleID, _SIDRole1.ID);
// Create the secrets if they do not exist. We can attempt to Read the Secret on the path1 paths as we have full control
var result = await secretEngine.TryReadSecret(appData);
if (!result.IsSuccess)
{
await secretEngine.SaveSecret(appData, KV2EnumSecretSaveOptions.OnlyIfKeyDoesNotExist);
}
result = await secretEngine.TryReadSecret(path1AppA);
if (!result.IsSuccess)
{
await secretEngine.SaveSecret(path1AppA, KV2EnumSecretSaveOptions.OnlyIfKeyDoesNotExist);
}
result = await secretEngine.TryReadSecret(path1AppB);
if (!result.IsSuccess)
{
await secretEngine.SaveSecret(path1AppB, KV2EnumSecretSaveOptions.OnlyIfKeyDoesNotExist);
}
// We have to list the "folders" or secrets on the AppData path as we only have create and List permissions.
List <string> appFolders = await secretEngine.ListSecretsAtPath(appData);
if (!appFolders.Contains(Constants.appName_A))
{
await secretEngine.SaveSecret(appDataAppA, KV2EnumSecretSaveOptions.OnlyIfKeyDoesNotExist);
}
if (!appFolders.Contains(Constants.appName_B))
{
await secretEngine.SaveSecret(appDataAppB, KV2EnumSecretSaveOptions.OnlyIfKeyDoesNotExist);
}
}
catch (VaultForbiddenException e) { Console.WriteLine("The role does not have permission to perform the requested operation. - Original Error - {0}", e.Message); }
catch (Exception e) { Console.WriteLine("Error detected in routine - PerformRole1Tasks - Error is - {0}", e.Message); }
}
public async Task PerformRoleATasks()
{
// We need to simulate a session as this Role1 User:
VaultAgentAPI vault = new VaultAgentAPI("Role2", _vaultAgent.Uri);
AppRoleAuthEngine authEngine = (AppRoleAuthEngine)vault.ConnectAuthenticationBackend(EnumBackendTypes.A_AppRole, _AppBEName, _AppBEName);
KV2SecretEngine secretEngine =
(KV2SecretEngine)vault.ConnectToSecretBackend(EnumSecretBackendTypes.KeyValueV2, "KV2 Secrets", _beKV2Name);
// Now login.
Token token = await authEngine.Login(roleAppA.RoleID, _SIDRoleAppA.ID);
// Read existing secrets.
string rootPath = Constants.appData + "/" + Constants.appName_A + "/";
KV2Secret secretA1 = new KV2Secret("Database", rootPath);
bool readSuccess = false;
(readSuccess, secretA1) = await secretEngine.TryReadSecret <KV2Secret>(secretA1, 0);
// If it did not exist then create it.
if (!readSuccess)
{
secretA1 = new KV2Secret("Database", rootPath);
// Create Some Secrets.
secretA1.Attributes.Add("username", "abcUser");
secretA1.Attributes.Add("password", "passEncrypted");
secretA1.Attributes.Add("Connection", "db=1.2.3.4:4706/iInstance");
await secretEngine.SaveSecret(secretA1, KV2EnumSecretSaveOptions.OnlyIfKeyDoesNotExist, 0);
}
// Try to read the parent secret - should fail
KV2Secret secretParent = new KV2Secret(Constants.appData);
(readSuccess, secretParent) = await secretEngine.TryReadSecret <KV2Secret>(secretParent, 0);
// Lets try and read an AppB secret. Should fail.
try {
// Lets try and read an AppA secret. Should fail.
string rootBPath = Constants.appData + "/" + Constants.appName_B + "/";
KV2Secret secretB1 = new KV2Secret("Database", rootBPath);
(readSuccess, secretB1) = await secretEngine.TryReadSecret <KV2Secret>(secretB1, 0);
}
catch (VaultForbiddenException) {
Console.WriteLine("[SUCCESS-EXPECTED RESULT: User A does not have access to read from User B's secret store.");
}
// Lets update the secret.
string passwd = secretA1.Attributes["password"];
passwd = passwd + DateTime.Now.Hour;
secretA1.Attributes["password"] = passwd;
//secretEngine.SaveSecret(secretA1,)
}
public async Task PerformRoleBTasks()
{
// We need to simulate a session as this Role1 User:
VaultAgentAPI vault = new VaultAgentAPI("Role2", _vaultAgent.Uri);
AppRoleAuthEngine authEngine = (AppRoleAuthEngine)vault.ConnectAuthenticationBackend(EnumBackendTypes.A_AppRole, _AppBEName, _AppBEName);
KV2SecretEngine secretEngine =
(KV2SecretEngine)vault.ConnectToSecretBackend(EnumSecretBackendTypes.KeyValueV2, "KV2 Secrets", _beKV2Name);
// Now login.
Token token = await authEngine.Login(roleAppB.RoleID, _SIDRoleAppB.ID);
// Read existing secrets.
string rootPath = Constants.appData + "/" + Constants.appName_B + "/";
KV2Secret secretB1 = new KV2Secret("Database", rootPath);
bool readSuccess = false;
(readSuccess, secretB1) = await secretEngine.TryReadSecret(secretB1, 0);
if (!readSuccess)
{
secretB1 = new KV2Secret("Database", rootPath);
// Create Some Secrets.
secretB1.Attributes.Add("username", "Buser");
secretB1.Attributes.Add("password", "Bpassword");
secretB1.Attributes.Add("Connection", "db=99.100.101.102:0/iBInstance");
await secretEngine.SaveSecret(secretB1, KV2EnumSecretSaveOptions.OnlyIfKeyDoesNotExist, 0);
}
try {
// Lets try and read an AppA secret. Should fail.
string rootAPath = Constants.appData + "/" + Constants.appName_A + "/";
KV2Secret secretA1 = new KV2Secret("Database", rootAPath);
(readSuccess, secretB1) = await secretEngine.TryReadSecret(secretA1, 0);
}
catch (VaultForbiddenException) {
Console.WriteLine("[SUCCESS-EXPECTED RESULT: User B does not have access to read from User A's secret store.");
}
int bb = 0;
bb++;
}